Fix CVE-2018-14424:

https://gitlab.gnome.org/GNOME/gdm/issues/401
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14424

Patch copied from upstream source repository:

https://gitlab.gnome.org/GNOME/gdm/commit/1ac1697b3b019f50729a6e992065959586e170da

From 1ac1697b3b019f50729a6e992065959586e170da Mon Sep 17 00:00:00 2001
From: Chris Coulson <chris.coulson@canonical.com>
Date: Thu, 19 Jul 2018 18:26:05 +0100
Subject: [PATCH] display-store: Pass the display object rather than the id in
 the removed signal

By the time GdmDisplayStore emits the "display-removed" signal, the display
is no longer in the store and gdm_display_store_lookup will not work in
signal handlers.

Change the "display-removed" parameter from the display id to the GdmDisplay
object, so that signal handers can perform any cleanup they need to do

CVE-2018-14424

Closes: https://gitlab.gnome.org/GNOME/gdm/issues/401
---
 daemon/gdm-display-store.c         | 11 +++--------
 daemon/gdm-display-store.h         |  2 +-
 daemon/gdm-local-display-factory.c | 13 +++----------
 daemon/gdm-manager.c               | 19 +++++++++----------
 daemon/gdm-manager.h               |  3 ++-
 5 files changed, 18 insertions(+), 30 deletions(-)

diff --git a/daemon/gdm-display-store.c b/daemon/gdm-display-store.c
index af76f519..fd24334e 100644
--- a/daemon/gdm-display-store.c
+++ b/daemon/gdm-display-store.c
@@ -76,15 +76,10 @@ stored_display_new (GdmDisplayStore *store,
 static void
 stored_display_free (StoredDisplay *stored_display)
 {
-        char *id;
-
-        gdm_display_get_id (stored_display->display, &id, NULL);
-
         g_signal_emit (G_OBJECT (stored_display->store),
                        signals[DISPLAY_REMOVED],
                        0,
-                       id);
-        g_free (id);
+                       stored_display->display);
 
         g_debug ("GdmDisplayStore: Unreffing display: %p",
                  stored_display->display);
@@ -281,9 +276,9 @@ gdm_display_store_class_init (GdmDisplayStoreClass *klass)
                               G_STRUCT_OFFSET (GdmDisplayStoreClass, display_removed),
                               NULL,
                               NULL,
-                              g_cclosure_marshal_VOID__STRING,
+                              g_cclosure_marshal_VOID__OBJECT,
                               G_TYPE_NONE,
-                              1, G_TYPE_STRING);
+                              1, G_TYPE_OBJECT);
 
         g_type_class_add_private (klass, sizeof (GdmDisplayStorePrivate));
 }
diff --git a/daemon/gdm-display-store.h b/daemon/gdm-display-store.h
index 28359933..0aff8ee2 100644
--- a/daemon/gdm-display-store.h
+++ b/daemon/gdm-display-store.h
@@ -49,7 +49,7 @@ typedef struct
         void          (* display_added)    (GdmDisplayStore *display_store,
                                             const char      *id);
         void          (* display_removed)  (GdmDisplayStore *display_store,
-                                            const char      *id);
+                                            GdmDisplay      *display);
 } GdmDisplayStoreClass;
 
 typedef enum
diff --git a/daemon/gdm-local-display-factory.c b/daemon/gdm-local-display-factory.c
index 5f1ae89e..39f3e30a 100644
--- a/daemon/gdm-local-display-factory.c
+++ b/daemon/gdm-local-display-factory.c
@@ -805,18 +805,11 @@ on_display_added (GdmDisplayStore        *display_store,
 
 static void
 on_display_removed (GdmDisplayStore        *display_store,
-                    const char             *id,
+                    GdmDisplay             *display,
                     GdmLocalDisplayFactory *factory)
 {
-        GdmDisplay *display;
-
-        display = gdm_display_store_lookup (display_store, id);
-
-        if (display != NULL) {
-                g_signal_handlers_disconnect_by_func (display, G_CALLBACK (on_display_status_changed), factory);
-                g_object_weak_unref (G_OBJECT (display), (GWeakNotify)on_display_disposed, factory);
-
-        }
+        g_signal_handlers_disconnect_by_func (display, G_CALLBACK (on_display_status_changed), factory);
+        g_object_weak_unref (G_OBJECT (display), (GWeakNotify)on_display_disposed, factory);
 }
 
 static gboolean
diff --git a/daemon/gdm-manager.c b/daemon/gdm-manager.c
index f17bd1a5..f6684a8b 100644
--- a/daemon/gdm-manager.c
+++ b/daemon/gdm-manager.c
@@ -1541,19 +1541,18 @@ on_display_status_changed (GdmDisplay *display,
 
 static void
 on_display_removed (GdmDisplayStore *display_store,
-                    const char      *id,
+                    GdmDisplay      *display,
                     GdmManager      *manager)
 {
-        GdmDisplay *display;
+        char    *id;
 
-        display = gdm_display_store_lookup (display_store, id);
-        if (display != NULL) {
-                g_dbus_object_manager_server_unexport (manager->priv->object_manager, id);
+        gdm_display_get_id (display, &id, NULL);
+        g_dbus_object_manager_server_unexport (manager->priv->object_manager, id);
+        g_free (id);
 
-                g_signal_handlers_disconnect_by_func (display, G_CALLBACK (on_display_status_changed), manager);
+        g_signal_handlers_disconnect_by_func (display, G_CALLBACK (on_display_status_changed), manager);
 
-                g_signal_emit (manager, signals[DISPLAY_REMOVED], 0, id);
-        }
+        g_signal_emit (manager, signals[DISPLAY_REMOVED], 0, display);
 }
 
 static void
@@ -2535,9 +2534,9 @@ gdm_manager_class_init (GdmManagerClass *klass)
                               G_STRUCT_OFFSET (GdmManagerClass, display_removed),
                               NULL,
                               NULL,
-                              g_cclosure_marshal_VOID__STRING,
+                              g_cclosure_marshal_VOID__OBJECT,
                               G_TYPE_NONE,
-                              1, G_TYPE_STRING);
+                              1, G_TYPE_OBJECT);
 
         g_object_class_install_property (object_class,
                                          PROP_XDMCP_ENABLED,
diff --git a/daemon/gdm-manager.h b/daemon/gdm-manager.h
index 41c68a7a..c8fb3f22 100644
--- a/daemon/gdm-manager.h
+++ b/daemon/gdm-manager.h
@@ -24,6 +24,7 @@
 
 #include <glib-object.h>
 
+#include "gdm-display.h"
 #include "gdm-manager-glue.h"
 
 G_BEGIN_DECLS
@@ -50,7 +51,7 @@ typedef struct
         void          (* display_added)    (GdmManager      *manager,
                                             const char      *id);
         void          (* display_removed)  (GdmManager      *manager,
-                                            const char      *id);
+                                            GdmDisplay      *display);
 } GdmManagerClass;
 
 typedef enum
-- 
2.17.1

